Must admit, the remote wipe could be useful in certain circumstances.But why was there no mandatory additional authentication to proceed with it?Seems like just being just being logged in to the iCloud account was sufficient.

I own none of that particular vendors devices, nor use none of their services.Don't intend to either, although MS seem to be heading down the wrong track.

Looking at the comments... Cripes... Go figure. They degenerate immediately. I think there was only 1 there that was worthwhile reading and not just full of vitriol and arrogance.

Here's the worthwhile one:

Spoiler

Quote

1. I seriously doubt that the hacker brute forced the iCloud account password. iCloud (as does Google) allows for only a limited number of password attempts before locking up. Then you have to answer two of three security questions (the two factor authentication). Therefore, unless you use an extremely easy password to guess, brute force is going to fail since it will take too much time to do.

2. MORE LIKELY: The Hacker is someone the person knows who then got access to his password or someone who used a keylogger. With a keylogger, if you ever log into any of your accounts on someone else's computer or public terminal, you are screwed immediately.

3. Since the iCloud account was used as the person's central account, any other account which uses that central account as the backup email address (such as his Google and Twitter accounts) became vulnerable to a password resent request.

4. The Hacker easily gained access to his Gmail Account and Twitter Account even without knowing the password by simply knowing those accounts' backup addresses and sending a password reset request. This shows that Gmail and Twitter are also not very secure.

5. Remote Wipe is a good thing. The only problem is if a Hacker gains access to the account that can do a remote wipe, you can be remote wiped. Thus, to guard against this possibility, always do backups of your data.

6. Backups are clearly important. If the person used Time Machine AND another app (such as ChronoSync) to do hourly backups AUTOMATICALLY AND WITHOUT SUPERVISION, then he would only lose 1 hour of work.

7. Using only one backup email address is bad. This can occur not only with iCloud but also Google and any other email accounts. The key is that the person used his iCloud account as the backup email account for every other account he had - his Google account, his Twitter account, etc. This links these other accounts to the original account. This problem is the same if he used his Gmail account as his primary backup account. It isn't limited to using Apple's iCloud account. Using only one email as the primary backup account makes every other account linked to it insecure and accessible because all these other accounts are easy to access via a password request - Google, Twitter are easily accessed.

8. Strong passwords and regularly changing passwords are important. This helps protect against keyloggers and people you know from accessing your account if they don't do it immediately. Being able to mix numbers, capital letters, and small letters helps make the password more secure. Being able to add symbols (e.g. ! or *, etc.) to the password increases security even more.

The most important lessons:1. any account can be hacked.2. backup, backup, backup, backup, backup, backup,...

Update Three: I know how it was done now. Confirmed with both the hacker and Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions. Apple has my Macbook and is trying to recover the data. I’m back in all my accounts that I know I was locked out of. Still trying to figure out where else they were.

This means that irrelevant of how good is your password is, your computer can be hacked by Apple. Bottom line, TRUST NO ONE.

I was surprised to read that the hacker "got in through Apple tech support and some clever social engineering that let them bypass security questions." Huh? I don't use Apple stuff, but it's nonetheless disconcerting--make that alarming--that tech support is somehow involved/insecure and that one can somehow bypass security questions. I wish I understood how this could happen. If it could happen with Apple, I'm sure it could happen as well with MS. I try to keep my paranoia level under control, but this has sent it sky high...um...to the cloud(s)?

I was surprised to read that the hacker "got in through Apple tech support and some clever social engineering that let them bypass security questions." Huh?

Why? That is quite literally the oldest trick in the book. Scam artists have been using pieces of info to validate claims about one person to fool another since the beginning of time. A casual 5 minute conversation with anyone will glean enough info to do a google search for the rest of the details to answer security questions. ...And with folks putting their life story on FaceBook...the first two steps are academic.

Security question: High school mascot

Hay friend, where you from?? [Gets town name]

Really? I've got a friend/cousin/coworker who grew up there..said it was a nice place but their HS mascot sucked... [Answer: That's odd, what's wrong with xxxxx?] oops.

I was surprised to read that the hacker "got in through Apple tech support and some clever social engineering that let them bypass security questions." Huh?

Why? That is quite literally the oldest trick in the book. Scam artists have been using pieces of info to validate claims about one person to fool another since the beginning of time. A casual 5 minute conversation with anyone will glean enough info to do a google search for the rest of the details to answer security questions. ...And with folks putting their life story on FaceBook...the first two steps are academic.

Well, I guess I was assuming that other people are as cautious/paranoid as I am. I put next-to-no personal info on Facebook and don't use security questions that can be answered via a Google search. At least, I don't think I do. I do tend to be more truthful when I deal with tech support, but I frankly can't imagine someone knowing enough about me to be able to get personal info about me from tech support.

Update Three: I know how it was done now. Confirmed with both the hacker and Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions. Apple has my Macbook and is trying to recover the data.

The fact Apple now has his MacBook and is attempting to recover his data speaks volumes.

Guess that alone is enough to remove anybody's doubt Apple's Tech Support fell for some social engineering.

Which goes back to something Gerry Weinberg once observed: It's never a technical problem. It's always a "people" problem. And anytime you find something thats not, you need to check it again.

I was surprised to read that the hacker "got in through Apple tech support and some clever social engineering that let them bypass security questions." Huh?

Why? That is quite literally the oldest trick in the book. Scam artists have been using pieces of info to validate claims about one person to fool another since the beginning of time. A casual 5 minute conversation with anyone will glean enough info to do a google search for the rest of the details to answer security questions. ...And with folks putting their life story on FaceBook...the first two steps are academic.

Well, I guess I was assuming that other people are as cautious/paranoid as I am. I put next-to-no personal info on Facebook and don't use security questions that can be answered via a Google search. At least, I don't think I do. I do tend to be more truthful when I deal with tech support, but I frankly can't imagine someone knowing enough about me to be able to get personal info about me from tech support.

Just one more reason not to trust your data to anything that you can't fit in a bank's safe deposit box. And even then, better have at least 3 discrete devices with the same dataset if it is anything you can't replace.

I know I put one over on a lawyer using the triplicate backup approach. Had a sensitive file with case damaging contents stored on a server in a colocation facility. Though I can't prove who did it, I have a good reason to believe that the opposing lawyer hired someone to DDoS that server to oblivion, in an attempt to keep that file from reaching court and damaging their case.

Unfortunately for them, I had 3 copies of it- the remote, the original on my old laptop, and a third copy on a memory stick in my wallet.

Needless to say the look on the lawyer's face when that file successfully reached the courtroom and was entered as evidence. And I didn't even invoke the third copy, the copy that was entered into evidence was actually sourced from the original file on the laptop that had encoded it. It proved to be far more useful than I thought, completely blowing the opposition out of the water.

But that's where good practice triumphs over shady business. Always, always always if it is important enough that you can't remake it or download it easily, maintain at least 3 current copies of it stored separately.

And this whole hacked via the cloud thing? It certainly took long enough. I expected stuff like this to start happening last year when Cloud became the latest big thing in IT. It's going to be a long time before I put anything in the cloud, and even then they'll be individually encrypted with the key something I would carry on me at all times.